Alright, so let’s think from the bad part point of view. This doesn’t work if they wanna have premium rate numbers, wanna extract money automatically with malware. They have to do it with some other mechanism than 1-900 numbers.And to this forum posting from March 2010. This is posted on XDA-developers1, which is an online forum for smartphone users.
There is one guy, wrote this posting explaining that he was woken up on Sunday morning at 2:40 AM. He woke up because he was sleeping right next to his phone and the lights on his phone turned on. And he looked at his phone and his phone was making a phone call. Alright? So, he looked at the log and realized that his phone has actually made a number of calls.
So he, he was baffled about this, he made his posting. He listed the numbers that he found from his phone call logs and asked does anybody have any idea what’s going on.
Well, nobody had an idea, no replies. Nothing happened for 5 days. Then 5 days later, suddenly new users started registering on this forum, and started posting replies to this forum. And basically all the replies were along the lines that, you know what, same thing happened on my phone, I’m from Denmark, and same thing happened for my phone, I am from Tokyo.
So people from all over the world, started posting replies on this forum posting. Because what happened is that they had the same thing happening on their phone. They saw from their call logs, the number where the phone had dialed in, of course what they lose if they google for the number. What else do you do? And when you googled for any of these numbers, one hit, one hit only, which was this forum posting. So obviously, all the people who were trying to figure out what’s going on with their phone ended up replying on the same thread.
So then somebody pointed this out to us. And we went to the same forum. We posted there basically, you know, explaining we are F-Secure antivirus company, we work with mobile antivirus for a long time. We’re pretty confident this is a virus or worm or Trojan doing this. And we asked people who were affected by this, to post a list of applications they have installed on their devices.
And all the users who were complaining were running Windows Mobile. Windows mobile 6 or Windows Mobile 6.5 And people posted whatever applications they had installed. And they had different e-mail clients, different calendar applications, different games.
One thing they all had, one thing what was common in all these devices all over the world, which was doing this, was that they all had this game: ‘3D Anti-terrorist Action’, which is a 3D shooting game, it’s actually a Counter Strike clone.
It’s actually a very good game, very fast, no, very nice game. And it’s made by this Chinese company called ‘Huike’. And ‘Huike’ is a fairly large, OEM game manufacturer writing 3D games. And they’ve done nothing wrong. This is a commercial game, written a year and a half ago, being sold by ‘Huike’ typically for 5 dollars or so.
What happened was that an unknown Russian hacker got this commercial game, cracked it, removed copy protection. Then created a copycat website of ‘Huike’, registering a new domain name that sounded similar, copied the content over and then post himself, that I am the developer of this game. And submitted the cracked version of the game as a free demo to several Windows Mobile download sites around the world. Sites where people can download games for their phones. And it is a good game, and now it was free. And of course these download sites believed that it’s the real deal, it all looked real, right, how would they know that this guy who was coming from this website, isn’t actually the real company.And of course the only, the modification of removing copy protection, wasn’t the only thing modified in the game. The main modification that was done to the game was this (See image). The hacker had added a small code snippet, which modified the system to work so that when the game was installed initially, it waited for a delay of random amount of hours, somewhere between 0 and 12 hours, and then it issued a series of phone calls.
Phone calls to these 8 numbers listed right here. And it waited for 0xc350, that’s 50,000 timer ticks, waited for the call to go on and then it shut down the call and issued another call.
And once it had called all of these numbers, these 8 numbers, then it sleeped for 31 days. After 31 day, it repeated the calls and sleeped for 31 days. That’s what it does.
And when you call these numbers, this will create you around 12 dollars in costs. And the logic in doing this only every 31 days is that most of us have a monthly bill. If you don’t have a prepaid number, then you typically get a monthly bill. If you get an extra 12 dollars international calls in your bill, well some of us will notice, some of us won’t, I wouldn’t notice for example.
I have, you know, so, so much international calls anyway that 12 dollars would easily go through.
So, what are these numbers? Where was the phone actually calling? Well, it was calling the South God Damn Pole! Yes, it was calling Antarctica, it was calling Dominican Republic, it was calling different satellite providers, it was calling Somalia in Africa, San Tome and Principe, which is a very small island name somewhere outside of Africa on the West cost.
And it’s pretty obvious, that you know, if you call faraway places like these, it’s going to be an expensive call. Everybody understands that. If you’re gonna call the South Pole, it’s gonna cost you money, right?
So, how does the guy get money out of this? That’s the crucial part. How does this actually work, so that the guy running this operation, is able to get money out of it and is able to do it without getting caught, and is able to continue it, although there might be attempts to take down.
And this all done by the fact that these numbers are so called international premium rate numbers, which means they are not premium rate numbers, theу are perfectly, in perfectly normal number space but they are very expensive.
1 – Xda-Developers is a mobile software development community of users worldwide.